Duqu targeted each victim with unique files and servers

Well-financed developers had sense of humor


The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published on Friday.

What's more, two of the drivers the sophisticated, highly modular rootkit used in one attack showed compilation dates of 2007 and 2008, Alexander Gostev, the Kaspersky Lab expert and author of the report said. If the dates are genuine, they suggest the Duqu architects may have spent the past four years developing the malware.

Like forensics investigators combing through a homicide scene for the tiniest scraps of evidence, security researchers around the world are examining every email and computer file associated with Duqu for clues about who created and and for what purpose. They have yet to establish a direct link to the Stuxnet worm that was unleashed to sabotage uranium-enrichment plants in Iran, but the aggregate picture of Duqu that's emerging is that like Stuxnet, it was painstakingly developed by a world-class team of disciplined and well-financed engineers.

The Duqu version examined in Friday's report was recovered by the Sudan Computer Emergency Response Team from an undisclosed company that the attackers targeted in advance. Like attacks on other targets, it was launched using a booby-trapped Word document with content that was tailored to the receiving organization and exploited a previously unknown vulnerability in the kernel of all supported versions of Microsoft Windows.

The first attempt at infection in the incident studied by Kaspersky failed because the email containing the Word document wound up in a spam folder. On May 21, four days after the first email was sent, the attackers tried again with a slightly modified message. Both the subject line and the title of the attached file referenced the targeted company specifically. Interestingly, the DLL file that served as the trojan's main module was dated April 17, the same day as the first attempt to infect the target.

When the recipient of the second email opened the Word document, a malicious payload immediately hijacked the computer, but sat dormant for about 10 minutes, Gostev said. The exploit didn't actually install the spy components until the end user went idle. The infected computer used a command and control server researchers have never seen before. So far, investigators have identified at least four such servers, and each one was used to send and receive data from only one target.

In late May, a second computer in the attack examined by Kaspersky was infected over the targeted company's local network. Gostev didn't say how the Duqu infection was able to spread. Separate research from Symantec has suggested the malware is was able to spread across networks through SMB connections used to share files from machine to machine.

For all the skill and care the attackers took, they also showed an intriguing sense of humor. The malicious shellcode for their exploit was embedded in a fictitious font called “Dexter Regular,” and contained the line “Copyright (c) 2003 Showtime Inc.” The hidden message is an obvious reference to the Dexter television series, which depicts a ritualistic serial killer who works as a crime-scene investigator for the Miami Police Department.

“This is another prank pulled by the Duqu authors,” Gostev wrote. ®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • This Windows malware uses PowerShell to inject malicious extension into Chrome
    And that's a bit odd, says Red Canary

    A strain of Windows uses PowerShell to add a malicious extension to a victim's Chrome browser for nefarious purposes. A macOS variant exists that uses Bash to achieve the same and also targets Safari.

    The makers of the ChromeLoader software nasty ensure their malware is persistent once on a system and is difficult to find and remove, according to threat hunters at cybersecurity shop Red Canary, who have been tracking the strain since early February and have seen a flurry of recent activity.

    "We first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called 'ChromeLoader' – and only later learned that we were catching ChromeLoader in the middle stage of its deployment," Aedan Russell, detection engineer at Red Canary, wrote in a blog post this week.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading

Biting the hand that feeds IT © 1998–2022